Tech

SecurityScorecard taps HackerOne to bring bug bounty data to security ratings

Join Transform 2021 this July 12-16. Register for the AI event of the year.


HackerOne and SecurityScorecard have announced a platform integration that will showcase data from the ethical hacking community on a company’s digital scorecard.

SecurityScorecard, for the uninitiated, is a cybersecurity rating and risk-monitoring platform major companies such as Nokia, AXA, and Liberty Mutual use to monitor and assess security throughout their supply chain, including weaknesses in third-party vendors. It’s kind of like a credit score rating for security.

HackerOne, meanwhile, connects businesses with security researchers, or “white hat hackers,” who are financially incentivized to find software vulnerabilities before bad actors do. The HackerOne platform has powered bug bounty programs for major businesses, including Microsoft, Google, Intel, the U.S. Department of Defense, and Goldman Sachs. The San Francisco-based company recently touted major enterprise growth, with nearly half of its new sales stemming from businesses with over $1 billion in revenue.

Risk categories

SecurityScorecard uses 10 broad risk categories as part of its rating system, including endpoint security, network security, DNS health, and patching cadence. It also uses a risk category it calls “hacker chatter,” which automatically collects and analyzes conversations from popular public hacker community channels, such as private forums, social networks, and internet relay chat (IRC). It’s all about finding mentions of a business and its associated digital properties to assess whether any potential undisclosed exploits are being discussed.

This latest partnership with HackerOne builds on that basic concept, though it instead surfaces official bug bounty and vulnerability disclosure data gleaned from HackerOne’s API.

Above: HackerOne score in SecurityScorecard

For SecurityScorecard customers, a “hacker report” signal will appear on scorecards for companies that use HackerOne, though this is on an entirely opt-in basis.

Companies will be able to see recent security issues involving companies in their supply chain and take appropriate action — with the ability to download a CSV file containing all of HackerOne’s findings.

Perhaps more importantly, this goes some way toward helping interested companies be more transparent about their vulnerability disclosure activities and the current status of flaws that have been identified.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Leave a Reply